CVE-2020-15146

CRITICAL

SyliusResourceBundle <1.3.14-1.6.4 - RCE

Title source: llm

Description

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

References (1)

[Exploit, Mitigation, Third Party Advisory] https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5

Scores

CVSS v3 9.6

EPSS 0.0106

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-917 CWE-74

Status published

Products (2)

sylius/resource-bundle 1.4.0 - 1.4.7Packagist

sylius/syliusresourcebundle < 1.3.13

Published Aug 20, 2020

Tracked Since Feb 18, 2026